10G Throughput with Snort

DaddyGo

@aadder said in 10G Throughput with Snort:

I'm needing some suggestions for my next build.

Hi,

I will honestly tell you that pfSense is a routing capable NGFW. (and knows much more)
You don't really need a power machine for this purpose, you don’t think of it as a server, especially in a SOHO environment...keep in mind that, your wallet shouldn’t be empty, because of your high electricity bill...

So after my preliminary, where would you like to achieve 10G throughput with Snort and in what environment?

Suricata is multi-threaded, anyway

in terms of hardware, by the way, this should be your bible:
https://www.freebsd.org/releases/11.3R/hardware.html

Cool_Corona

You wouldnt be able to achieve 10G with IDS/IPS on on nothing less than servergrade hardware.

EOD.

DaddyGo

@Cool_Corona said in 10G Throughput with Snort:

You wouldnt be able to achieve 10G with IDS/IPS

that's why I asked

+++edit:
although this may not be entirely true...
https://blog.mellanox.com/2018/08/defining-smartnic/

heper

@Cool_Corona said in 10G Throughput with Snort:

You wouldnt be able to achieve 10G with IDS/IPS on on nothing ~~less than servergrade hardware.

EOD.~~

i haven't come across any public posts of people who manage 10G emix traffic with pfSense & snort or suricata ....
i'm not claiming it's impossible .... but i doubt just throwing a lot of hardware at it will get you there

Cool_Corona

@heper said in 10G Throughput with Snort:

@Cool_Corona said in 10G Throughput with Snort:

You wouldnt be able to achieve 10G with IDS/IPS on on nothing ~~less than servergrade hardware.

EOD.~~

i haven't come across any public posts of people who manage 10G emix traffic with pfSense & snort or suricata ....
i'm not claiming it's impossible .... but i doubt just throwing a lot of hardware at it will get you there

You will come close to wirespeed but it takes a hefty couple of many core XEON's and a lot of memory/good nics.

bmeeks

I honestly don't think either binary (snort or suricata) is capable of sustained 10G operation regardless of hardware thrown at it. At least not with anything approaching a decent rule set enabled. Maybe it would be close to that speed if all the packets were jumbo frames with maxed-out payloads, but with a typical mix of small and large packets I think it would be tough to meet 10G througput.

aadder

I have 700 series Intel nic cards 4port and 2port. My switch comes to me Monday 9000 series Cisco 48Port. I won't be switching to Xeon I'll use Epyc CPUs. No big deal about it not being able to. I'll get a palo alto firewall. Thanks everyone.

heper

@aadder said in 10G Throughput with Snort:

I'll get a palo alto firewall.

They seem to have products that can do IDS at 10g mix.... Starting at around $40000

DaddyGo

@heper said in 10G Throughput with Snort:

Starting at around $40000

you have the winning point

DaddyGo

@aadder said in 10G Throughput with Snort:

I won't be switching to Xeon I'll use Epyc CPUs.

It doesn't matter that, ... - Xeon or Epyc (AMD) we aren’t talking about this here.... think of "netmap" stuff in IPS, F.E. - and many other factors...

after all, we did not receive a response to the environment of use???

where is this insane speed needed?
and / or next to the examination of packages? (IDS/IPS)

bmeeks

@heper is correct. I did not mean to imply nothing could do 10G IDS, but was instead referring to the FOSS (Free Open Source Software) world. Sure, with customized hardware and proprietary software, anything is possible for a price.

But there is quite a world of cost difference between "free" with pfSense and Snort or Suricata and "$40,000 USD or more" for proprietary systems.

DaddyGo

@bmeeks said in 10G Throughput with Snort:

But there is quite a world of cost difference between "free" with pfSense and Snort or Suricata and "$40,000 USD or more" for proprietary systems.

Hello Bill,

I just want to note this Bill, when I watching a lot of Reddit (homlab porn or other) topic(s)

more and more guys are building a 10Gig network at home, with cheap, (but) working HPE, Cisco, Dell, stuff, they are buying on eBay for pennies

they think it is necessary at home or have benefits...
but this approach is superfluous...

and many people think that speed + IDS / IPS does something serious in a 5-15 endpoint network

bmeeks

@DaddyGo said in 10G Throughput with Snort:

@bmeeks said in 10G Throughput with Snort:

But there is quite a world of cost difference between "free" with pfSense and Snort or Suricata and "$40,000 USD or more" for proprietary systems.

Hello Bill,

I just want to note this Bill, when I watching a lot of Reddit (homlab porn or other) topic(s)

more and more guys are building a 10Gig network at home, with cheap, (but) working HPE, Cisco, Dell, stuff, they are buying on eBay for pennies

they think it is necessary at home or have benefits...
but this approach is superfluous...

and many people think that speed + IDS / IPS does something serious in a 5-15 endpoint network

I agree with you that having 10G at home is not a huge necessity for now. I won't be so confident, though, to say it is "never needed". That would be like the legendary Bill Gates quote from 1981 where he reportedly uttered "640K ought to be enough for everybody". While the fact whether he actually said that is still contested (he says "no", but others say "yes"), it makes for a fun example of poor future planning.

I will say that I don't see the current Snort 2.9.x binary branch being capable of 10G IDS due to its single-threaded nature. Well, unless someone invents and then sells a cheap quantum-based processor ... , or one based on Star Trek di-lithium crystals or some other exotic material.

Suricata perhaps might get there, but even it still needs a lot of work to make all parts multithreaded. There are still some performance bottlenecks in the Suricata multi-threaded engine. Plus it requires a lot of very complicated tuning (as in setting various oblique parameter values in the suricata.yaml conf file) to reach maximum speeds.

Finally, as has been mentioned on these forums multile times in the recent past, the rise of encrypted network traffic has effectively neutered most IDS/IPS installations unless the admin is doing some kind of MITM interception and decryption with proxying. The IDS can't peer into encrypted payloads. And there are loads of them today with TLS and SSL being so pervasive. In fact, cleartext network traffic is just about an anachronism now.

DaddyGo

@bmeeks said in 10G Throughput with Snort:

That would be like the legendary Bill Gates quote from 1981 where he reportedly uttered "640K ought to be enough for everybody".

this is a good quote, I heard it a long time ago :)- MS + Bill G + DOS :)

I was almost 20 at the time...and I was past these, -

the historical summary (you know, I enjoyed these at the time):
(and now I can barely turn my head when the world is rushing)

https://hu.wikipedia.org/wiki/Intel_8088
https://hu.wikipedia.org/wiki/Sinclair_Spectrum
https://hu.wikipedia.org/wiki/Commodore_64
(of which there are two more in the attic)
https://en.wikipedia.org/wiki/IBM_Personal_Computer_XT
https://hu.wikipedia.org/wiki/Pentium_III
https://en.wikipedia.org/wiki/MMX_(instruction_set)

and
https://en.wikipedia.org/wiki/Simons%27_BASIC
https://en.wikipedia.org/wiki/Windows_3.1x
https://hu.wikipedia.org/wiki/Windows_95
https://hu.wikipedia.org/wiki/Windows_98

How about this?

https://www.theregister.com/2020/11/19/nvidia_q3_2021/
https://www.theregister.com/2020/09/29/esxionarm_is_real_and_vmware/
https://www.theregister.com/2020/10/15/nvidia_ai_supercomputer_italy_2022/

this world will leap enormously